Most technical development and production usually relies on electronic systems using database technology to manage their key business processes. An example of this type of system would be an Enterprise Resource Planning (ERP) system. Software products may relate to SAP NetWeaver-based solutions and the SAP R/3 platform or to Oracle-related products.
These systems are in charge of processing sensitive business data and, accordingly, the confidentiality, integrity and availability of this information is therefore critical for the security and continuity of the business. Moreover, all security relevant data of a company or an application is provided in the database system. Therefore, reducing the risk of security leaks or compliance breaches in the database system is a major concern.
Operating a database system, such as an SAP® system, necessitates a plurality of technical configurations, like, for example, configurations relating to password protection (minimal and maximal password length, etc.), network connections, encryption and decryption procedures, management of access rights, etc. These configurations are set on an application level and typically at the user's site in order to adapt the database system to the specific needs of the business case (customization). Incorrect, missing or critical configuration settings may lead to severe quality and security risks.
It is therefore necessary to check these configuration settings. Typically, there are more than 3000 configuration parameters to be set and various tables to be analyzed for this purpose. A manual check is very expensive and problematic, also because interdependencies between different configuration parameters have to be considered, as well. For this reason, an automatic checking tool which automatically detects defects of quality requirements and security leaks and which issues concrete instructions in order to automatically correct the relevant configuration parameters (by indicating which configuration parameter has to be set or amended in which way) would be helpful.
Further, it has to be taken into account that an SAP system usually has different security zones, i.e., domains in which different security requirements may exist in parallel. For example, personal data of the company's employees are to be processed with a higher degree of security than stock-keeping data. Therefore, there is a need for a product which takes into account different security zones during checking of configuration settings.
Another aspect is to be seen in that new business requirements and amended customizations (by the SAP customers) of the database system, typically, affect configuration settings. Thus, there is a need that analysis of the configuration state of the database system is to be executed repeatedly and/or periodically even after installation and during operation of the database system.